Before I discuss wireless encryption differences, let me address the bank
web site example. Your bank's web site (and usually just about any
well-designed web site that requires entering IDs and passwords) will create
an SSL session between the web server and your browser. This encrypted
session keeps your information confidential on the Internet. As an
interesting side effect, it also keeps that some information confidential
over the air, since it gets encrypted before it leaves the wireless NIC in
your computer.
But this isn't good enough: what about all the rest of your communications?
Or what about someone hijacking your wireless network? You still need to
"secure the air," so to speak, so you've got to do something. Choosing what
to do can be daunting.
Now, generally, for wireless security, the more computers you have, the
stronger of a security system you want. For a home network or small office
network of say 20 computers or less, plain old 128-bit WEP is good enough.
Change the encryption key in your access point and in all your computers
once a month -- I like to recommend on the first Monday of each month as an
easy-to-establish habit that you can put in your calendar as a reminder. To
brute-force the key an attacker will need far more data than what a small
network will generate in that time frame.
If your hardware can perform WPA PSK (pre-shared key), use that and you can
get completley out of the key-management business. WPA uses a key-management
mechanism called TKIP (temporal key integrity protocol). You program a
pre-shared *authentication* key into the AP and each client; WPA generates
new *encryption* keys for every frame (packet) of data that passes between
each client the AP. That's a lot of encryption; it's best to use the AES
encryption algorithm (rather than WEP's RC-4) since AES is so much faster.
Change that authentication key say every six months.
If you've got multiple access points, or more than about 20 clients, then
you'll want to use a RADIUS server to handle keys and policies instead of
individually setting keys in clients. You will need to implement your own
RADIUS server to do that, and it works best if you've got an Active
Directory domain. Older wireless hardware can use only 802.1x. 802.1x is a
network port authentiction protocol that uses EAP (extensible authentication
protocol) to process the authentication and RADIUS for carrying the
authentication conversation. In your RADIUS policy you'll indicate a key
lifetime -- 60 minutes is good for 802.11b, 15 minutes for 802.11a/g. Each
client that associates to the access point will receive its own WEP key and
EAP changes this key according to the interval set in the RADIUS policy.
Newer wireless hardware can use WPA, and again if you've got a network of
more than one AP or more than 20 clients WPA with RADIUS is the best way to
go. WPA still relies on RADIUS and 802.1x/EAP for the initial
authentication, but replaces EAP's key handling mechanism with its own TKIP
implementation, again changing those keys every frame.
I know this is a lot of information, but choosing a wireless security suite
isn't a trivial decision. This should help summarize:
hardware manu- encyrption RADIUS
network size facture date protocol needed?
-------------------------------------------------------------------
1 AP or >20 clients after 8/2003 WPA yes
1 AP or >20 clients before 8/2003 802.1x + EAP yes
1 AP and <20 clients after 8/2000 WPA + PSK no
1 AP and <20 clients before 8/2003 WEP 128-bit no
Note: for hardware made before 8/2003 you might be able to apply a firmware
upgrade to add WPA support. Check with the manufacturer.
Steve Riley
(e-mail address removed)